<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Role mapping resources | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'role-mapping-resources.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/role-mapping-resources.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/role-mapping-resources.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/role-mapping-resources.html" rel="nofollow" target="_blank">../en/role-mapping-resources.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="rest-apis.html">REST APIs</a></span>
»
<span class="breadcrumb-link"><a href="api-definitions.html">Definitions</a></span>
»
<span class="breadcrumb-node">Role mapping resources</span>
</div>
<div class="navheader">
<span class="prev">
<a href="api-definitions.html">« Definitions</a>
</span>
<span class="next">
<a href="breaking-changes.html">Breaking changes »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="role-mapping-resources"></a>Role mapping resources<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/role-mapping-resources.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>A role mapping resource has the following properties:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">enabled</code>
</span>
</dt>
<dd>
(boolean)  Mappings that have <code class="literal">enabled</code> set to <code class="literal">false</code> are ignored when role
mapping is performed.
</dd>
<dt>
<span class="term">
<code class="literal">metadata</code>
</span>
</dt>
<dd>
(object) Additional metadata that helps define which roles are assigned to each
user. Within the <code class="literal">metadata</code> object, keys beginning with <code class="literal">_</code> are reserved for
system usage.
</dd>
<dt>
<span class="term">
<code class="literal">roles</code>
</span>
</dt>
<dd>
(list) A list of roles that are granted to the users that match the role mapping
rules.
</dd>
<dt>
<span class="term">
<code class="literal">rules</code>
</span>
</dt>
<dd>
<p>
(object) The rules that determine which users should be matched by the mapping.
A rule is a logical condition that is expressed by using a JSON DSL. The DSL supports the following rule types:
</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">any</code>
</span>
</dt>
<dd>
(array of rules) If <span class="strong strong"><strong>any</strong></span> of its children are true, it evaluates to <code class="literal">true</code>.
</dd>
<dt>
<span class="term">
<code class="literal">all</code>
</span>
</dt>
<dd>
(array of rules) If <span class="strong strong"><strong>all</strong></span> of its children are true, it evaluates to <code class="literal">true</code>.
</dd>
<dt>
<span class="term">
<code class="literal">field</code>
</span>
</dt>
<dd>
(object) See <a class="xref" href="role-mapping-resources.html#mapping-roles-rule-field" title="Field rules">Field rules</a>.
</dd>
<dt>
<span class="term">
<code class="literal">except</code>
</span>
</dt>
<dd>
(object) A single rule as an object. Only valid as a child of an <code class="literal">all</code> rule. If
its child is <code class="literal">false</code>, the <code class="literal">except</code> is <code class="literal">true</code>.
</dd>
</dl>
</div>
</dd>
</dl>
</div>
<h4>
<a id="mapping-roles-rule-field"></a>Field rules<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/role-mapping-resources.asciidoc">edit</a>
</h4>
<p>The <code class="literal">field</code> rule is the primary building block for a role mapping expression.
It takes a single object as its value and that object must contain a single
member with key <em>F</em> and value <em>V</em>. The field rule looks up the value of <em>F</em>
within the user object and then tests whether the user value <em>matches</em> the
provided value <em>V</em>.</p>
<p>The value specified in the field rule can be one of the following types:</p>
<div class="informaltable">
<table border="1" cellpadding="4px">
<colgroup>
<col class="col_1">
<col class="col_2">
<col class="col_3">
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Type</th>
<th align="left" valign="top">Description</th>
<th align="left" valign="top">Example</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p>Simple String</p></td>
<td align="left" valign="top"><p>Exactly matches the provided value.</p></td>
<td align="left" valign="top"><p><code class="literal">"esadmin"</code></p></td>
</tr>
<tr>
<td align="left" valign="top"><p>Wildcard String</p></td>
<td align="left" valign="top"><p>Matches the provided value using a wildcard.</p></td>
<td align="left" valign="top"><p><code class="literal">"*,dc=example,dc=com"</code></p></td>
</tr>
<tr>
<td align="left" valign="top"><p>Regular Expression</p></td>
<td align="left" valign="top"><p>Matches the provided value using a
                       <a class="xref" href="regexp-syntax.html" title="Regular expression syntax">Lucene regexp</a>.</p></td>
<td align="left" valign="top"><p><code class="literal">"/.*-admin[0-9]*/"</code></p></td>
</tr>
<tr>
<td align="left" valign="top"><p>Number</p></td>
<td align="left" valign="top"><p>Matches an equivalent numerical value.</p></td>
<td align="left" valign="top"><p><code class="literal">7</code></p></td>
</tr>
<tr>
<td align="left" valign="top"><p>Null</p></td>
<td align="left" valign="top"><p>Matches a null or missing value.</p></td>
<td align="left" valign="top"><p><code class="literal">null</code></p></td>
</tr>
<tr>
<td align="left" valign="top"><p>Array</p></td>
<td align="left" valign="top"><p>Tests each element in the array in
                      accordance with the above definitions.
                      If <em>any</em> of elements match, the match is successful.</p></td>
<td align="left" valign="top"><p><code class="literal">["admin", "operator"]</code></p></td>
</tr>
</tbody>
</table>
</div>
<h5>
<a id="_user_fields"></a>User fields<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/rest-api/security/role-mapping-resources.asciidoc">edit</a>
</h5>
<p>The <em>user object</em> against which rules are evaluated has the following fields:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">username</code>
</span>
</dt>
<dd>
(string) The username by which the Elasticsearch security features knows this user. For
example, <code class="literal">"username": "jsmith"</code>.
</dd>
<dt>
<span class="term">
<code class="literal">dn</code>
</span>
</dt>
<dd>
(string) The <em>Distinguished Name</em> of the user. For example, <code class="literal">"dn": "cn=jsmith,ou=users,dc=example,dc=com",</code>.
</dd>
<dt>
<span class="term">
<code class="literal">groups</code>
</span>
</dt>
<dd>
(array of strings) The groups to which the user belongs. For example, <code class="literal">"groups" : [ "cn=admin,ou=groups,dc=example,dc=com","cn=esusers,ou=groups,dc=example,dc=com ]</code>.
</dd>
<dt>
<span class="term">
<code class="literal">metadata</code>
</span>
</dt>
<dd>
(object) Additional metadata for the user. For example, <code class="literal">"metadata": { "cn": "John Smith" }</code>.
</dd>
<dt>
<span class="term">
<code class="literal">realm</code>
</span>
</dt>
<dd>
(object) The realm that authenticated the user. The only field in this object is the realm name. For example, <code class="literal">"realm": { "name": "ldap1" }</code>.
</dd>
</dl>
</div>
<p>The <code class="literal">groups</code> field is multi-valued; a user can belong to many groups. When a
<code class="literal">field</code> rule is applied against a multi-valued field, it is considered to match
if <em>at least one</em> of the member values matches. For example, the following rule
matches any user who is a member of the <code class="literal">admin</code> group, regardless of any
other groups they belong to:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{ "field" : { "groups" : "admin" } }</pre>
</div>
<p>For additional realm-specific details, see
<a class="xref" href="mapping-roles.html#ldap-role-mapping" title="Active Directory and LDAP realms">Active Directory and LDAP realms</a>.</p>
</div>
<div class="navfooter">
<span class="prev">
<a href="api-definitions.html">« Definitions</a>
</span>
<span class="next">
<a href="breaking-changes.html">Breaking changes »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>